From addressing tech obsolescence to improving digital resilience
Imagine a hospital paralyzed by ransomware, critical medical devices rendered inoperative, and sensitive patient data stolen. Unfortunately, it’s a reality that many healthcare organizations across Europe, and the world, have faced.
As healthcare systems undergo digital transformation, policymakers and healthcare leaders must confront an uncomfortable truth: cybersecurity is no longer just an IT issue. It is a core component of patient care and organizational resilience.
The European Commission’s Action Plan on the Cybersecurity of Hospitals and Healthcare Providers is a timely and welcome initiative, and it must be matched by urgent, bold, and coordinated action across Europe.
This blog explores why healthcare is so attractive for cybercriminals and outlines five actions to reset how we approach security in the sector with a long-term vision. This comprehensive, forward-looking approach addresses the unique vulnerabilities of healthcare while enabling organizations to build long-term resilience.
The Healthcare Sector: A Prime Target for Cybercriminals
In 2024, the healthcare sector became the most targeted industry for ransomware attacks, with cybercriminals exploiting vulnerabilities in outdated systems, fragmented IT environments, and overburdened staff. The stakes are high as the average cost of a data breach in healthcare is $9.77 million, higher than in any other sector. Worse yet, these attacks don’t just harm balance sheets, they jeopardize patient safety, delay care, and erode public trust.
A ransomware attack doesn’t just lock data, it may also put human lives at risk. Cybersecurity must be treated as essential to patient care as a sterile operating room.
The healthcare sector gathers a perfect storm of vulnerabilities, making it a particularly attractive target for cyberattacks.
First, healthcare organizations hold a treasure trove of sensitive data. Medical records are worth up to 50 times more than credit card numbers on the dark web because they cannot be cancelled. They can be used to file fraudulent insurance claims, obtain prescription medications, or build complete profiles for identity theft.
Second, healthcare systems rely on a mix of modern and legacy technology. While the latest devices and software enable faster and more accurate diagnoses, many hospitals still run outdated IT systems. In 2019, 71% of medical devices were running on obsolete or near-obsolete software. Even in 2022, 60% of French hospitals were still operating on outdated infrastructure, including systems which no longer receive security updates. This significantly expands the attack surface and often allows attackers to persist undetected, worsening the impact of breaches.
Third, the human factor cannot be ignored. Cybersecurity is not yet embedded in the healthcare culture. Phishing remains the most common entry point for attacks, whilst weak passwords, shadow IT, and lack of awareness are pervasive issues. In France, 70% of successful cyberattacks in healthcare are attributed to human error.
Finally, disparities across the sector exacerbate vulnerabilities. Larger hospitals often have dedicated cybersecurity teams, tools, and budgets, whereas smaller hospitals, clinics, and general practitioners rely on limited resources, sometimes none at all. This results in a sector where vulnerabilities are systemic, attackers are emboldened, and the consequences of inaction are too severe to ignore.
Rethinking Cybersecurity: Five concrete actions for policymakers and healthcare organizations
1. Treat Obsolete IT Systems as a Systemic Risk
Outdated IT systems and devices are not just an operational inconvenience, they are a ticking time bomb and a systemic risk to healthcare delivery.
Policymakers must incentivize healthcare organizations to identify and mitigate vulnerabilities associated with legacy systems. The European Commission’s proposed cybersecurity maturity assessments for healthcare are a step in the right direction, but they must be paired with actionable solutions.
For example, network segmentation can isolate vulnerable systems to prevent lateral movement by attackers. As a result of the Cyber Maturity Assessments, the Support Centre could produce a ‘watch list’ of key obsolete devices and systems that shall be replaced as a matter of priority across the EU. It should also estimate the costs of replacement. When mitigation is not enough, funding must be allocated to replace end-of-life devices and software. Importantly, this funding should not stop at one-off purchases but must account for ongoing maintenance and upgrades.
2. Reimagine IT Spending Models
Many hospitals operate under rigid spending models that prioritize capital expenditures (CapEx) over operational expenditures (OpEx). This is at odds with the growing trend toward subscription-based service models in the IT and cybersecurity sectors.
Hospitals must have the flexibility to reallocate funds between CapEx and OpEx without bureaucratic delays or approvals. Policymakers should work with national healthcare authorities to revise budgetary rules, enabling healthcare organizations to adopt and sustain advanced cybersecurity solutions. Without this flexibility, even the best tools risk becoming underutilized or abandoned when operational budgets run out.
3. Elevate Cybersecurity Training to a Strategic Priority
The healthcare sector’s largest vulnerability is not technology, it’s people. Regular, sector-specific cybersecurity training must be mandatory for all healthcare staff, from IT teams to frontline medical professionals.
Training should not only cover basic cyber hygiene but also prepare staff to respond effectively during an attack. For example, teams should practice executing downtime procedures to ensure continuity of care even when systems are compromised. Policymakers must mandate this training cadence in regulations like the NIS2 Directive and, importantly, provide resources to make training easily accessible.
4. Encourage Resource Sharing and Regional Collaboration
Not every hospital can afford a dedicated cybersecurity team, but collaboration can bridge the gap. Resource sharing and regional collaboration present scalable solutions to bridge these gaps. Member States should encourage hospitals to pool their IT and cybersecurity resources, as seen in France’s “Groupements Hospitaliers de Territoire.”
These regional groupings allow hospitals to share IT systems, issue joint action plans, and conduct collective cybersecurity exercises. Such collaboration can also help optimize costs, extend threat intelligence, enabling healthcare providers to learn from each other and stay ahead of emerging threats.
Policymakers should encourage such models across Europe, extending collaboration to laboratories, healthcare insurers, and research institutions to build a resilient healthcare ecosystem that protects patient data and ensures continuity of care.
5. Secure Electronic Health Records (EHRs) as a Top Priority
With the advent of the European Health Data Space (EHDS), EHRs will become central to healthcare delivery and research. However, this also makes them prime targets for cyberattacks.
Policymakers must ensure that EHR systems meet the stringent cybersecurity requirements outlined in the Cyber Resilience Act. This includes robust access controls, encryption, and interoperability standards to ensure that EHRs can be securely exchanged across borders. Protecting EHRs will require not just technical solutions but also comprehensive risk management strategies tailored to the healthcare sector.
A Shared Responsibility
Cybersecurity in healthcare is a shared responsibility that requires collaboration across the European Commission, Member States’ governments, healthcare organizations, and the private sector. Policymakers must create the regulatory and funding frameworks needed to enable action, while healthcare leaders must prioritize cybersecurity as a strategic imperative. The private sector, too, has a crucial role to play, from providing advanced cybersecurity solutions to addressing the skills gap.
Policymakers and healthcare leaders must seize this moment to rethink their approach to cybersecurity. By addressing vulnerabilities head-on, fostering collaboration, and investing in long-term resilience, we can build a secure and thriving healthcare ecosystem capable of protecting sensitive data and ensuring uninterrupted care.
